• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Securing Server - Qmail

C

chromedome

Guest
We've had issues over the last year or so where we have been playing cat and mouse with php exploits and perl scripts generating massive amounts of spam, filling our quuue's, and making life generally miserable.

Steps we have taken in the past:

Upgrade php
move /tmp to it's own partition and setting up noexec
Installed and regularly run chkrootkit
Installed qmHandle to monitor and clean the queue

We have 2 servers that have gotten hit. One is FreeBSD 5.3, the other is CentOS 3.3, both are running Plesk 7.5.4

Here are my questions:
What is the best way to search out for old/exploitable php scripts?
What is the best way to "lockdown" qmail so that these scripts can not turn the box into a spam-generator
What general "lockdown" recommendations would you add to what we have already done?


Your help is appreciated
 
Originally posted by chromedome
What is the best way to "lockdown" qmail so that these scripts can not turn the box into a spam-generator
Click to expand...
Not sure Qmail can be locked down as you are thinking. It would have no way of knowing if a message has originated from an exploited script or not.
Originally posted by chromedome
What general "lockdown" recommendations would you add to what we have already done?
Click to expand...
ART's Atomic Secured Linux (ASL) Project

AtomicRocketTurtle's ASL
 
Are you each using the systems listed above? It appears that ART's ASL project contains several of the suggestions listed by eilko.

Assuming i were to put a dev machine online with these new changes, do they play nice with Plesk, or would we be married to ART's updates? (nothing against them - just curious)

Thank you for your suggestions.
 
The ASL project is IMO a more complete approach. Once installed, you would do best to continue to get the updates for all related packages from ARTs yum repository. I suppose you could try mixing in updates from other sources, but it would definitely not necessarily be in your best interests.

The ASL is not really Plesk related at all, so should not pose any problems with Plesk.

You could also do your Plesk updates from ARTs repository (I do without any problems), as well as other packages (such as php, mysql, etc).

ART = atomicrocketturtle = an original founder of Plesk before the SWSoft buyout = he is astounding at what he does.
 
You must log in or register to reply here.

Similar threads

S
Question Server-side php components as well as plesk components
Replies
2
Views
717
sbservice.es
S
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
3K
iainh
I
TimReeves
Forwarded to devs Nginx-only php location does not work for WordPress permalinks
Replies
11
Views
6K
Hockeychap
H
Automata
  • Poll
Input FEATURE REQUEST: Add SSH2 extension to PHP default extensions to improve security.
Replies
2
Views
3K
Automata
Automata
Bjorn
Issue Microsoft mail servers keep blacklisting server IP
Replies
5
Views
4K
Bitpalast
Bitpalast
Back
Top